CLINICAL ENGINEERING


in automated medical equipment. Security researchers discovered flaws in outdated medical equipment still in use by some healthcare providers.4


These vulnerabilities


could allow hackers to remotely exploit systems. Research carried out by Billy Rios and Mike Ahmadi used automated security scanning tools on a decommissioned device and found scores of bugs in equipment running customised versions of Windows XP. Some 715 of the flaws in ‘automated supply cabinets used to dispense medical supplies’ had a severity rating of high or critical.


In addition, in May 2016, the journal


reported that a US patient undergoing heart surgery was put at risk after anti-virus software started running on a computer monitoring the procedure.5


Peter Smithson


added that he was aware of another incident in which a CT scanner suddenly stopped to perform an anti-virus scan, so the patient had to be scanned once again. This resulted in additional radiation exposure for the patient. “So how do you control your anti-virus


software? Who is responsible? Is it the clinical engineers, the radiology department, or IT? If you are going to have better anti- virus protection, you will need to control how it operates,” Peter Smithson pointed out, adding that the configuration of systems and protection will require collaboration between departments.


Highlighting the findings of another


report, he commented that nearly three-quarters of NHS Trusts said they had no cyber-security training programme for mobile devices, despite the fact that a similar number are using these mobile devices in the workplace.6


Staff are increasingly


bringing in their own devices which pose a potential threat to the Trust’s systems, while patients and their relatives may also


PRODUCTNEW Cyber-attacks in the news


l Operations and appointments had to be cancelled at hospitals within the Northern Lincolnshire and Goole (NLAG) NHS Foundation Trust and United Lincolnshire Hospitals Trust, following a cyber-attack, in October 2016. The decision was made to shut down the majority of the IT systems so that the virus could be isolated and destroyed, causing major disruption to services. (BBC, 31 October 2016, http://www.bbc.co.uk/ news/uk-england-humber-37863949)


l In February 2016, the Hollywood Presbyterian Medical Centre in Los Angeles was hit by ransomware. Hackers were reported to have asked for a ransom of 9,000 Bitcoins (around US$5.77 million dollars.) The hospital


hack in to the WiFi, Peter Smithson warned. To address the threats posed to healthcare organisations, the FDA hosted a public workshop on collaborative approaches to medical device cyber-security, which was followed by the publication of the document ‘Post-market Management of Cyber-security in Medical Devices Draft guidance’. Published in January 2016, the guidance outlines steps that manufacturers should take to continually address cyber-security risks with devices in order to better protect the public. In the UK, NHS Digital was also commissioned by the Department of Health to develop a Care Computer Emergency Response Team (CareCERT). CareCERT is now tasked with offering advice and guidance to support health and care organisations to respond effectively and


subsequently agreed to pay a ransom of $17,000 to restore its files and systems, suffering a downtime of five working days. (Los Angeles Times, 18 February 2016, http://www.latimes.com/ business/technology/la-me-ln-hollywood- hospital-bitcoin-20160217-story.html)


l In March 2016, systems at Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, California, were also affected by ransomware. The software involved was reported to be ‘Locky’, which encrypts files, documents and images and renames them with the extension .locky. The most common way the virus gains access is via spam email. (BBC, 23 March 2016, http://www.bbc.co.uk/ news/technology-35880610)


safely to cyber-security threats. NHS IT and clinical engineering staff can join the scheme, to send and receive alerts, by sending a request to: carecert@nhsdigital.nhs.uk The National Data Guardian review of data security is also now underway, which is expected to produce a set of leadership responsibilities and data security standards – for example, a strategy must be in place for protecting systems from cyber threats based on a proven framework such as Cyber Essentials. Unsupported operating systems, software or internet browsers will not be allowed to be used within the IT estate. Peter Smithson explained that, in the future, clinical engineers will need to seek permission to connect devices to the network, from the chief clinical information officer within their Trust – including when


Amplify your adenoma


detec iont


Visit booth #25 at EndoLIVE 2-3 March, ICC Birmingham


20 I WWW.CLINICALSERVICESJOURNAL.COM rate


T: +4 (4 0)170 22 91878 | F: +4 (4 0)170 22 90013 | E: info@cantelmedica www.cantem dl


Campfiel Rd oad S, hoeburyness E, ssex, S3 BX9S e ical.co.uk


al.co.uk


FEBRUARY 2017


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64